Host-based Security – CompTIA Security+ SY0-401: 4.3

On a public Wi-Fi network, all of your security is whatever you’ve configured in your operating system. In this video, you’ll learn about host-based firewalls and intrusion protection systems.

<< Previous Video: Trusted OSNext: Hardware Security >>

Host-based firewalls are an excellent way to protect your system from the bad guys coming inbound to your computer. They set up a wall between you and the outside world so that people don’t have unfettered access to everything that’s inside of your computer. You often hear these referred to as personal firewalls. And you’ll find them in many different operating systems. Certainly if you’re running Windows, or Linux, or OS 10, there is a personal firewall or a host based firewall that’s already installed, and probably running in those operating systems.

You can also find third party solutions available. Many anti-virus and anti-malware companies will also include their own firewall along with their anti-malware software. So whether you use the built in firewall in your operating system or you use one from a third party, they’re all designed to keep the bad guys out of your system. These host based firewalls are stateful, which means they keep track of all of the sessions that you’re creating to the outside world. So you can continue to surf the internet without any type of interruption.

But just because you’re surfing out doesn’t mean the bad guys are able to then come into your network. It’s the stateful firewall that keeps track of this and allows your communication, but prevents any communication that doesn’t fall into that state. These personal firewalls are also able to manage the communication by application. This is something that’s very difficult to do on the network side. But if you were embedded into the operating system itself you have the luxury of knowing exactly what applications happen to be running on your system, and you can allow or disallow access in and out of that application all from this built in firewall.

The Windows Firewall is a good example of a personal firewall that’s able to use this application visibility to be able to make decisions about what traffic goes in and out of your system. The Windows Firewall can also be configured to allow or disallow traffic based on a TCP or UDP port number, which means that it can span many different kinds of applications, and really have a much broader security policy that’s based just on a single port number. Here are the configuration settings for a Windows Firewall.

And whether you’re using Microsoft Windows or any other operating system, the configuration settings are very similar across operating systems themselves. The first dialogue that we have here shows the ability to turn on and off the Windows Firewall. This is where you might want to turn it off, which is, as you can see, not a recommended setting. Generally, you want to have your firewall on all the time. In fact, if you do go outside of your house, maybe you’re got your laptop with you, and you’re going to a open access point, you’re going to a coffee shop, you may even want to turn on the firewall and include the option to block all incoming connections.

You may allow incoming connections inside of your home. But when you’re outside of your home, that is an even safer configuration to prevent anybody from using any of the exceptions that you may have created in your firewall. And creating exceptions is a very useful tool. You can specify a particular application name for instance, and you would allow access into your computer using that particular application. For instance, Remote Desktop.

I might configure this system to be accessible from outside using remote desktop. No other application would be able to work unless I also included exceptions for those individual applications. And if you would like to have a much broader security profile, you could even add a specific TCP or UDP port number. That would allow access from the outside. Regardless of what application happens to be, it would just need to be able to access your system using these very particular TCP or UDP ports. Just as we have network based firewalls and network based intrusion prevention systems, we also have those that are designed for individual hosts.

And you’re starting to see more and more individual host intrusion prevention systems running in software. These are usually separate applications. They are sometimes integrated into the firewall, especially if you’re using an IPS on your host that is built by a third party that likes to integrate all of these applications together. These host-based intrusion prevention systems generally protector system based on a number of signatures.

So it’s going to look for a certain number of things to occur on your system. And if that traffic happens to match this very specific signature, it will alert you to this, or it will block that particular function altogether. So it can also look for certain types of activity. It may not know the signature for modifying a particular file in your system, but it knows that no one should be going into your system 32 directory and modifying anything that’s inside there.

And if it does, then it will notify you that I don’t have a signature. But this looks awfully suspicious. I wanted to make you aware. Or it may choose to block it completely. So you may want to make sure that your system is running your built in firewall, and perhaps even has an intrusion prevention system to make sure that you’re able to maintain the security of your computer.